Nuffnang

Sunday, December 20, 2015

Why is Hyperconvergence So Hot?


To understand why hyperconvergence has gotten so popular so quickly it’s necessary to keep in mind other trends that are taking place.
There’s pressure on IT departments to be able to provision resources instantly; more and more applications are best-suited for scale-out systems built using commodity components; software-defined storage promises great efficiency gains; data volume growth is unpredictable; and so on.
More and more enterprises look at creation of software products and services as a way to grow revenue and therefore want to adopt agile software development methodologies, which require a high degree of flexibility from IT. In other words, they want to create software and deploy it much more often than they used to, so IT has to be ready to get new applications up and running quickly.

Saturday, December 12, 2015

What is Hyperconverged Infrastructure?


Given that the concept is only about two years old, it’s worth explaining what hyperconverged infrastructure is and how it’s different from its cousin converged infrastructure.
Hyperconvergence is the latest step in the now multiyear pursuit of infrastructure that is flexible and simpler to manage, or as Butler put it, a centralized approach to “tidying up” data center infrastructure. Earlier attempts include integrated systems and fabric infrastructure, and they usually involve SANs, blade servers, and a lot of money upfront.
Converged infrastructure has similar aims but in most cases seeks to collapse compute, storage, and networking into a single SKU and provide a unified management layer.
Hyperconverged infrastructure seeks to do the same, but adds more value by throwing in software-defined storage and doesn’t place much emphasis on networking. The focus is on data control and management.
Hyperconverged systems are also built using low-cost commodity x86 hardware. Some vendors, especially early comers, contract manufacturers like Supermicro, Quanta, or Dell for the hardware bit, adding value with software. More recently, we have seen the emergence of software-only hyperconverged plays, as well as hybrid plays, where a vendor may sell software by itself but will also provide hardware if necessary.
Today hyperconverged infrastructure can come as an appliance, a reference architecture, or as software that’s flexible in terms of the platform it runs on. The last bit is where it’s sometimes hard to tell the difference between a hyperconverged solution or software-defined storage, Butler said.

Monday, November 9, 2015

SSH Tunneling

You can create SSH Tunnels using different kinds of forwarding like
a) Local Port Forwarding, 
b) Remote Port Forwarding,
c) Dynamic Port Forwarding
c) X Forwarding

For a full command syntax check the online man pages for ssh  here  




Local Port Forward

-L [bind_address:]port:host:hostport

          Specifies that the given port on the local (client) host is to be forwarded to the given 
             host and port on the remote side.  This works by allocating a socket to listen to port 
             on the local side, optionally bound to the specified bind_address.  Whenever a
             connection is made to this port, the connection is forwarded over the secure channel, 
             and a connection is made to host port  hostport from the remote machine. The 
             bind_address of ``localhost'' indicates that the listening port be bound for local use 
             only, while an empty address or `*' indicates that the port should be available from all interfaces.

Suppose that I want to access a remote host ( 192.168.2.1:80) that is behind an ssh server (myremotemachine). On local machine , set up a port forward from port 8080 to 192.168.2.1:80.
 $ ssh myremotemachine -L 8080:192.168.2.1:80  

Open another console session , on local machine, and check that the service is available on the loopback interface only , listening on tcp/8080.
 $ netstat -tunelp | grep 8080  
 tcp    0   0 127.0.0.1:8080     0.0.0.0:*    LISTEN   1000   74471   4269/ssh    

Then on local browser goto http://localhost:8080/  to access the webpage

On another example, you need to telnet on network device that is accessible only from inside the network.
 $ ssh myremotemachine -L 2323:192.168.0.1:23  

On local machine confirm that service is run on the loopback interface only , listening on tcp/2323.
 $ netstat -nlp | grep 2323  
 tcp    0   0 127.0.0.1:2323     0.0.0.0:*        LISTEN   4406/ssh      


Then open another console session and telnet to the loopback interface .
 $ telnet localhost 2323  
 Trying 127.0.0.1...  
 Connected to localhost.  
 Escape character is '^]'.  
 **WELCOME TO PIX501**  

Add -g to allow others on same home subnet to connect to remote machine.
 $ ssh myremotemachine -L 2323:192.168.0.1:23 -g  

Service appears on all interfaces of local host
 $ netstat -nlp | grep 2323  
 tcp    0   0 0.0.0.0:2323      0.0.0.0:*        LISTEN   4490/ssh    

Other machines on same subnet should use:
 $ telnet <address-of-localhost> 2323  



Remote Port Forwarding

-R [bind_address:]port:host:hostport
             Specifies that the given port on the remote (server) host is to be forwarded to the given 
             host and port on the local side.  This  works by allocating a socket to listen to port on the 
             remote side, and whenever a connection is made to this port, the  connection is forwarded 
             over the secure channel, and a connection  is made to host port hostport from the local machine.


              By default, the listening socket on the server will be bound to  the loopback interface only.  
              This may be overridden by specifying a bind_address.  An empty bind_address, or the address
             '*', indicates that the remote socket should listen on all interfaces.  Specifying a remote 
             bind_address will only succeed  if the server's GatewayPorts option is enabled 

Initiates a ssh connection with reverse port forward which will open listening port, to be forwarded back to destination' s port on destination host.

For example you need to access your PC at work but the firewall does not allow a connection initiated from outside. So you bypass company firewall by 
using an allowed port and create an incoming tunnel from computer at work to your computer at home. And then browse/use the port from home.

 office$ ssh -R 2222:localhost:22 homeserver   

Confirm that service is running on the loopback interface
 homeserver$ netstat -nlp | grep 2222  
 tcp    0   0 127.0.0.1:2222     0.0.0.0:*        LISTEN   -       

We are initiating ssh connection with reverse port forwarding (-R) which will open listening port 2222 to be forwarded back to localhost's port 22 and all this will happen on homeserver. If you now open up a terminal on homeserver and type in:
homeserver $ ssh localhost -p 2222  

we will try to connect to localhost (homeserver) on port 2222. Since that port is setuped by remote ssh connection it will tunnel the request back via that link to the office computer.


Dynamic Port Forwarding (SSH SOCKS proxy )

If you are using a connection that is not secure, then create an ssh tunnel to the ssh server and use it as a proxy.

 $ ssh -D 8080 remotemachine  

Then setup browser  SOCKS proxy at localhost:8080



X Forwarding

To run a GUI application installed on a remote machine  but display it locally
$ ssh -X -p 10022 192.168.2.10  

Then I run application PUTTY , installed only on the remote machine
$ putty  

Thursday, October 15, 2015

Junos: Corrupt pam.conf file allows unauthenticated root access

Product Affected:

This issue can affect any product or platform running Junos OS.​​
 
Problem:

When the pam.conf file is corrupted in certain ways, it may allow connection to the device as the root user with no password. This "fail-open" behavior allows an attacker who can specifically modify the file to gain full access to the device.

Note that inadvertent manipulation of the pam.conf by an authorized administrator can also lead to unauthenticated root access to the device. Extreme care should be taken by administrators to avoid modifying pam.conf directly.

While the standalone vulnerability may not be directly exploitable, this issue increases the severity of other attacks that may be chained together to launch a multi-stage advanced attack against the device.

This issue is assigned ​CVE-2015-7751.

Solution:
The following software releases have been updated to resolve this specific issue: Junos OS 12.1X44-D50, 12.1X46-D35, 12.1X47-D25, 12.3R9, 12.3X48-D15, 13.2R7, 13.2X51-D35, 13.3R6, 14.1R5, 14.1X50-D105, 14.1X51-D70, 14.1X53-D25, 14.1X55-D20, 14.2R1, 15.1F2, 15.1R1, 15.1X49-D10, and all subsequent releases.​

This issue was found during internal product security testing.

Juniper SIRT is not aware of any malicious exploitation of this vulnerability.

No other Juniper Networks products or platforms are affected by this issue.

This issue is being tracked as PR 965378 and is visible on the Customer Support website.

KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies.​​


Workaround:
​Use access lists or firewall filters to limit CLI access to the router only from trusted hosts.

In addition to the recommendations listed above, it is good security practice to limit the exploitable attack surface of critical infrastructure networking equipment. Use access lists or firewall filters to limit access to the router via SSH or telnet only from trusted, administrative networks or hosts.

Friday, October 2, 2015

VMware Tools unleashed

Prior to this change the ISO file that was downloaded with a new build would be placed on the local datastore of an ESXi host. When applying the VMware Tools to a virtual machine the ISO would be mounted form the local datastore and unmounted after the installation / update was done. Now that the VMware Tools aren’t included with the ESXi builds it is no longer possible to download them through Update Manager. You can now download them directly from the VMware site, but that still means you need to get the ISO ready for use.
Copying the ISO to every ESXi would be a time consuming task and luckily there is an alternative. It is possible to change the location where an ESXi host looks for the VMware Tools. On each host there is a location called the “ProductLocker”, which is a symbolic link that is created when booting a host. This link by default points to a directory on the local datastore. Fortunately for us the location that the symbolic link points to can be changed so that a shared datastore can be used.
First you would need to create a directory on one of your shared datastores like I have done in the screenshot below.
VMwaretools_Folder
It doesn’t matter what name you give the directory as long as the sub folder has the name “vmtools“. In this folder you will place the new VMware Tools ISO file that you downloaded van the VMware site.
Next you will need to adjust the “UserVars.ProductLockerLocation” setting on each host (you could use host profiles to reduce the manual repetition). You can find this setting within the Advanced settings for the host using the vSphere (web) client. Change this setting so that it contains the path to the directory you created in the previous step. Make note that you do not enter the sub directory that is holding the actual ISO file. The host will automatically search the sub directory within the parent directory you entered.
VMwareTools_UserVars.ProductLockerLocation_oud
Now that the configuration is changed we need to apply it. This can be done by either rebooting the host or manually by recreating the symbolic link. For the manual way you need to run commands from the ESXi shell. For ESXi 5.x or later you can use this command:
jumpstart –plugin=libconfigure-locker.so
or
rm /productLocker ln -s /vmfs/volumes/shared_datastore_name/vmware-tools /productLocker
After this you should be able to change to the productlocker directory and find the ISO file you placed on the datastore
VMwaretools_productlocker_new
No you can install or update the VMware Tools just like you would otherwise.

Open-VM-Tools
Furthermore VMware Tools for Linux (Open-VM-Tools or OVT for short) has been handed over to the Linux community enabeling the adoption of the tools in the Linux kernel main line. This means that customers don’t have to manage the lifecycle of the VMware Tools for certain Linux distributions anymore. Updating OVT will be done through the Linux update mechanic and you can no longer update them using vCenter.
For now the following distributions include OVT:
  • Fedora 19 and later releases
  • Debian 7.x and later releases
  • openSUSE 11.x and later releases
  • Recent Ubuntu releases (12.04 LTS, 13.10 and later)
  • Red Hat Enterprise Linux 7.0 and later releases
  • SUSE Linux Enterprise 12 and later releases
  • CentOS 7 and later releases
  • Oracle Linux 7 and later

Friday, September 18, 2015

Five Reasons Everyone Needs A Mentor



Five Reasons Everyone Needs A Mentor

Five Reasons Everyone Needs A Mentor

No matter what industry or role you’re in, or how long you’ve been there, a good mentor will guide you through pivotal career decisions, act as a neutral sounding board for ideas, and provide support during hard times. Though young people often seek out mentors in the early stages of their careers, more mid-level and seasoned professionals forgo mentorship. Here are five reasons everyone needs a mentor, no matter what stage of their career they’re at.
You’ll always have a go-to person to call
When you're making a tough decision, it can be difficult to know whose advice to ask. While family members or colleagues can provide valuable insights, having your one "go to" person in times of crisis can be valuable. It's comforting to know that when things get tough, you always know who to call.
Mentors provide an outside perspective
A mentor can also provide an outside perspective. When a problem hits close to home or may affect your colleagues or employees it can be difficult to find a neutral third party to listen and provide advice. A mentor won't have a stake in the issue you're trying to address and will be able to provide unbiased advice.
Mentors have the benefit of experience
Though your mentor may not have direct experience in your industry (though that's very helpful), a good mentor will have seen it all and can help you navigate through the type of tough life decisions everyone struggles with. Mentors have ideally encountered some of these challenges themselves and worked through them successfully.
A mentor will know you over time
As people increasingly switch jobs and even careers more frequently over time, having a mentor who has seen you in many roles can be enormously valuable. They can help put your hard decisions in context of your larger life and will provide the type of guidance one can only dispense by knowing someone over many years.
Mentors can bring new opportunities your way
Having someone who you respect and admire in an outside organization with different contacts can often lead to opportunities you may have not been aware of otherwise. Whether it's a new career or partnership opportunity, or a board position or speaking engagement, a mentor will help grow your network and propel your career forward.

Karl McDonnell

Thursday, September 17, 2015

VMware vCenter Server 6.0 Update 1 Release Notes

  • Customer Experience Improvement Program: The Customer Experience Improvement Program (CEIP) provides VMware with information that enables VMware to improve the VMware products and services and to fix problems. When you choose to participate in CEIP, VMware will collect technical information listed below about your use of the VMware products and services in CEIP reports on a regular basis. This information does not personally identify you. 
  • Feature Enhancement: Suite UI is now enabled by default for the vSphere Web Client.
  • Support for SSLv3: Support for SSLv3 has been disabled by default.
  • vCSA Authentication for Active Directory: VMware vCenter Server Virtual Appliance (vCSA) has been modified to only support AES256-CTS/AES128-CTS/RC4-HMAC encryption for Kerberos authentication between vCSA and Active Directory.
  • Hybrid Cloud Manager: Hybrid Cloud Manager has been updated for vSphere, and can be accessed directly from the home page of vSphere Web Client.
  • FT-vSAN Interoperability: vSAN and FT work together.
  • Appliance Management user interface: Appliance Management has a new user interface, written in HTML5.
  • Platform Services Controller: The PSC has a new management interface, written in HTML5.
  • Backup and Restore with external PSC: vCenter Server deployments with external PSC, also called MxN have support for backup and restore.
  • Installation and Upgrade using HTML 5 installer: The following installation and upgrade scenarios are supported for vCenter Server using HTML 5 installer:
    • Installation using HTML 5 installer and target as vCenter Server is supported
    • Upgrade using HTML 5 installer and target as vCenter Server is not supported
    • Upgrade using command line and target as vCenter Server is supported

Saturday, September 12, 2015

Integrated Management Controller (IMC) Supervisor and the UCS Director - Security Updates



Cisco has released security updates to address vulnerabilities in its Integrated Management Controller (IMC) Supervisor and the UCS Director (formally known as Cloupia Unified Infrastructure Controller). Exploitation of these vulnerabilities may allow a remote attacker to gain unauthorized access or cause a denial-of-service condition.

Saturday, September 5, 2015

Lessons from a Life of Leadership

When I was 25 years old, the President of the company I had worked for after graduating from college asked me if I wanted to manage what was then a team of five sales reps in the copier business.  I didn’t have a clue as to what I was embarking upon and where it would lead me over the next 30 years.  I had no idea what the future would hold including what I would be expected to learn on my own and what it would mean to manage and lead others. 
Early on, like many new managers, I stumbled more times than I succeeded; however, thanks to a few patient bosses, informal mentors and many talented team members, I discovered how to thrive then flourish as a leader.  The lessons I learned along the way were less about myself and more about those who worked for the organizations I was fortunate to have led. 
I learned the drastic difference between what people need versus what people want.  Everyone needs to eat, sleep, be loved, make a living, etc.  Those are fundamental needs and extend beyond the workplace into our daily lives.
But learning what people want in their work made it clear how I needed to adapt as a leader.  So much is written about “what a leader should do” and “what a leader wants from their employees”, but discovering what your people seek actually provides a clear path to becoming a successful leader.  As leaders, we are at the bottom of the inverted triangle.  It is our job to build an environment that allows people to prosper.
  • I want and value a personal connection with my boss
  • I want to know what is expected of me and be held accountable (surprise!)
  • I want my ideas to be respected and valued regardless of whether or not they are accepted
  • I want to work hard (yes, I really do!) and be challenged intellectually
  • I want to be trusted to do the right thing
  • I want to be rewarded for my accomplishments, and not the hours I work
  • I want to be appreciated and respected for my contributions (I do not need public recognition or awards)
A leader can impact each of the aforementioned items.  If we make sound hiring decisions and create an environment built around our team’s wants, then the expectations and financial goals of the organization are typically fulfilled. 
The only “golden rule” of leadership I cultivated overtime was to surround myself with the best people I could, be clear about what I expected, and then allow them to do their jobs with the least possible interference.  The rest of my approach as a leader was shaped by how those people around me wanted to be treated.
I have been extremely fortunate to have worked alongside many great team members in my leadership roles, and together we discovered what motivated people to excel and find satisfaction and happiness in their work.

Tom Kemp

SVP, Key Account Manager at Lee Hecht Harrison

Thursday, August 20, 2015

Key Reasons behind Budget and Timeline Overages




Many ERP projects exceed budget and timeline expectations. Overages are due to a number of factors, including:

1.        Budgets and timeframes that do not take into account business process improvement, organizational change management, backfilling and resource allocation, and / or software customization.
Mitigation Step: Create a business case and devote adequate resources to ensure accurate project planning.

2.       Leadership teams that choose systems based on reputation or vendor sales pitches rather than systems that truly fit their “future state” requirements.
Mitigation Step: Leverage independent resources to conduct full requirements gathering, business process improvements and software evaluations and negotiations.


3.       Leadership teams that fail to anticipate the magnitude of the project and the impact it has on end-user productivity and / or morale both prior to and following software implementation.
Mitigation Step: Conduct executive alignment and education exercises; create a business case determining goals and measurement tools, and ensure strong organizational change management planning and execution.


4.       Non-customized training that is based solely on the technical aspects of the system and fails to train users on new processes.
Mitigation Step: Leverage third-party resources to customize training to each practice area and its processes.

5.       Lack of concerted communication to end-users about the reasons behind the implementation, the anticipated benefits stemming from successful adoption and the ways in which each individual end-user and executive will affect project success or failure.
Mitigation Step: Create and follow a comprehensive organizational change management plan.